Last week Verizon Business announced that they now offer web application vulnerability assessment software as a service. Specifically, they are reselling a full version of WhiteHat Security’s offering, customized for Verizon business customers.
To be honest I’m somewhat biased here since WhiteHat’s CTO, Jeremiah Grossman, is a friend; but I’ve been fairly impressed with their model of SaaS-based continuous web app vulnerability assessment using a combination of scanning and manual validation to reduce false positives. Jeremiah’s marketing folks will hate it when I say this, but in my mind it’s closer to penetration testing than the other SaaS vulnerability assessment products, which rely completely on automated scanning. Perhaps instead of calling this “penetration testing” we can call it “exploit validation”. Web application vulnerabilities are tougher to deal with from a risk management perspective since, on the surface, it can be very difficult to tell if a vulnerability is exploitable; especially compared to the platform vulnerabilities typically checked by scanners. Since all web applications are custom, it’s important to validate those vulnerabilities to determine overall risk, as the results of a blind scan are generally full of potential false positives – unless it has been de-tuned so much that the false negative rate is extremely high instead.
Verizon Business also sells a managed web application firewall, which they mention in the press release. If you refer back to our Building a Web Application Security Program series and paper; vulnerability assessment, penetration testing, and web application firewalls are core technologies for the secure deployment and secure operations phases of managing web applications (plus monitoring, which is usually provided by the WAF and other logging).
In that series and paper, we also discussed the advantages of WAF + VA, where you dynamically generate WAF policies based on validated vulnerabilities in your application. This supports a rapid “shield then patch” model.
In the released information, Verizon mentions that they support WAF + VA. Since we know they are using WhiteHat, that means their back-end for WAF is likely Imperva or F5, based on WhiteHat’s existing partnerships.
Thus Verizon has managed VA, managed WAF, managed WAF + VA, and some penetration testing support, via the VA product.
They also have a forensics investigation/breach response unit which collects all the information used to generate the Data Breach Investigations Report.
Let’s add this up… VA + Exploit Validation (lightweight pen testing) + WAF + (WAF + VA) + incident response + threat intelligence (based on real incident responses). That’s a serious chunk of managed web security available from a single service provider. My big question is: do they realize this? It isn’t clear that they are positioning these as a combined service, or that the investigations/response guys are tied in to the operations side.
The big gap is anything in the secure development side… which, to be honest, is hard (or impossible) for any provider unless you outsource your actual development to them.
SecureWorks is another vendor in this space, offering web application assessments and managed WAF (but I don’t know if they have WAF + VA)… and I’m pretty sure there are some others out there I’m missing.
What’s the benefit? These are all pieces I believe work better when they can feed information to each other… whether internal or hosted externally. I expect the next pieces to add are better integrated application monitoring, and database activity monitoring.
(For the disclosure record, we have no current business relationships with WhiteHat, Verizon, F5, or SecureWorks, but we have done work with Imperva).
Reader interactions
6 Replies to “Verizon Has Most of the Web Application Security Pieces… But Do They Know It?”
Great assessment. Although I think that the main differentiator for Verizon here is the managed WAF capabilities. If you look at every other bullet point in your chart there are a several other MSSP’s that offer those services. Which leads me to my question, are WAF’s valuable at an MSSP level?
I think the additional capability is certainly worthwhile but from a business-cost perspective, unless the application owner is passing the bulk of the costs onto the MSSP that additional capability might not make business sense (vs the alternative of leveraging the other bullet points in your chart exclusively).
Furthermore, if the customers purchasing decision is primarily based on passing implementation, management, administration, and monitoring costs to the MSSP, then the question is are WAF’s capable of maintaining long-term profitability.
Just FYI Rich, Breach Security also partners with WhiteHat, and I believe this extends to the open source ModSecurity WAF
Heck Stacy, might be time for a briefing.
One area I’m very interested in is how tightly is this all integrated and automated? That was the main driver behind the article, using Verizon as an example.
Thanks
Hi Rich – Yes, SecureWorks offers managed WAF and web app scanning services. We also have the capability to leverage the web app scanning data in the management of WAF policies. Our Web App Sec services align pretty well with the components you guys cover in your “Building a Web Application Security Program” paper.
Our Consulting group has been doing web app pen testing and code audits for a few years now. In the spring, we launched the managed WAF service. In October, we launched the web app scanning service (which also scans databases). We’ve also had the capability to monitor application logs for quite some time, although it’s value is largely dependent on the audit logging capabilities of the app.
Look at Verizon Business services in general. They are offering managed everything over their private IP and trying to integrate it all into one uber managed service. I don’t think any other US provider is even close to what they offer.
the difficulty they have, is integrating all the units.
Verizon offers more pen testing than just through the VA – they have an application security program including “App certification” that they acquired through Cybertrust, which includes web application penetration testing.
http://www.verizonbusiness.com/products/security/application/
Whether one hand is talking to the other, I’m still not clear on either.